« House of Lords re-instate their USA extradition amendments in the Police and Justice Bill | Main | The Commons reject the Lords' extradition amendments again »

UK Commercial Law case precedent on alleged financial damage to a remotely hacked server ?

There is an interesting legal judgement, by a Court in the UK, regarding an allegation of unauthorised computer access over the internet from a foreign country, which has some relevance to Gary McKinnon's case, if it should ever be heard in a British court.

Ashton Investments Ltd. & Anor v OJSC Russian Aluminium (Rusal) & Ors [2006] EWHC 2545 (Comm) (18 October 2006)

This was heard by Mr. Jonathan Hirst QC, sitting as a Deputy Judge of the High Court, Queen's Bench Division Commercial Court.

The case involves the alleged hacking in to a computer in London, by or on behalf of a Russian company involved in a legal case against another Russian company, supposedly in order to get a sneaky view of confidential documents relevant to a forthcoming court case.

The defendants claim that the only evidence that they had anything to do with the incident, which involved the planting of spyware and key logger software on the server and a workstation in London i.e. not just a Computer Misuse Act section 1 unauthorised access offence, but a section 3 , unauthorised modification of data offence, is one logfile entry fingering an IP address allocated to part of their company in Russia.

This IP address (as well as others from mobile phones, and internet service providers in other countries like Austria) seem to have been used to gain remote administrator access, presumably using Microsoft's Remote Desktop support feature, by typing in the administrator username and password, which had probably been snarfed by the keylogger software.

The defendants claim that this IP address could have been accessed through their , at the time, open and unsecured WiFi wireless LAN network, is probably true, given the virtual impossibility of securing such networks from the wide range of off the shelf WiFi hacking and man-in-the-middle attack tools available on the internet.

However the Judge took the view that even though the Russian offices were near a Technical University, where there might have been people with the ability and equipment to to do this from outside of their offices, the people with the most motive, were likely to be working for, or on behalf of the Russian company itself.

The Judge ran roughshod over the claims that the case could be heard in Russia, since they do have both criminal and civil laws which are relevant, but which he claimed might be "too slow" or "too cumbersome"

He therefore decided that the legal forum for the hearing before his court was in England, rather than in Russia.

That is not to say that the Judge was ordering that any Russians should be extradited to the UK to face Computer Misuse Act charges, just that the application for financial damages regarding a conspiracy to breach confidentiality, should be hear in a UK court, given that this breach of confidentiality involved a forthcoming Court case being heard in the UK anyway.

However, the interesting part of his judgement which might be relevant to Gary McKinnon, is the Judge's quick and comprehensive dismissal of a claim for alleged financial damages to the insecure computer system in London.

60 Miss Dohmann also argued that no real damage was caused to the Claimants. The Particulars of Claim plead as follows:

  • 53. As a result of the said breach of confidence and/or unlawful interference and/or conspiracy by unlawful means and/or inducement of breach of confidence the Claimants have suffered loss and damage in a sum to be fully particularised following disclosure and/or expert evidence herein, but including:

  • 53.1 the cost of a new server … ;

  • 53.2 the costs of investigations and ancillary work carried out by Ashton's IT consultants … ;

  • 53.3 the cost of investigations by the forensic computer experts … .

These claims could not be sustained. Ashton's computer system was so inadequately protected from outside interference, that costs would have to be incurred anyway to upgrade the system to an adequate configuration. Further the cost of the new server, £3,231.25, was so trivial that it was utterly disproportionate to bring foreign defendants in.

In order to hack into this server, keylogger software had to be installed and an administrator password snarfed.

This is therfore actually far more secure than the US Military computer systems which Gary McKinnon, and presumably lots of other people, had access to, which had the default Administraror username ("Administrator") and, by default, no password whatsoever.

Surely exactly the same argument applies to the exaggerated $5,000 per computer claims (tptalling around an alleged million dollars )in the Gary McKinnon case i.e. any expenditure on these systems would have had to have been incurred anyway, to rectify the criminal negligence of the managers and senior military officers responsible for them ?

Surely the opinion of a High Court Judge dealing with Commercial Law is going to be highly relevant in assessing the alleged amount of financial damage caused by an unauthorised access to a weakly secured computer system ?

Comments

LIBEREN A GARY!...

GARY NO ESTA SOLO.-


GARY NO ESTA SOLO!


I’m a person, who knows what she wants. I’m not the one who has a lot of free time to write comments here and discuss stupid and silly news, like you do. It’s so funny that you all take it seriously, start thinking about it and so on. I would never spend my time on such stupidity. I just want to say that there’s a real word, where you can spread rumors and argue. Why are you doing this online? You look so funny!


Post a comment